Vulnerability Development mailing list archives
Re: Win32: Using SEH to search memory
From: <dave () immunitysec com>
Date: 25 Sep 2003 18:05:48 -0000
In-Reply-To: <3F72E421.7080604 () edelweb fr>
From CANVAS's win32search.c, this is what you are looking for.
Dave Aitel Immunity, Inc. CANVAS: All the hard work is done for you. //push the address of our exception handler push %eax //we are the last handler, so we push -1 push $-1 //move it all into place... mov %esp,%fs:(0) //Now we have to adjust our thread information block to reflect we may be anywhere in memory //As of Windows XP SP1, you cannot have your exception handler itself on the stack - but most versions of windows check to make sure your exception blcck is on the stack. addl $0xc, %esp movl %esp,%fs:(4) subl $0xc,%esp //now we fix the bottom of thread stack to be right after our SEH block movl %esp,%fs:(8)
Received: (qmail 25948 invoked from network); 25 Sep 2003 17:00:33 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 25 Sep 2003 17:00:33 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing3.securityfocus.com (Postfix) with QMQP id CEF76A36DE; Thu, 25 Sep 2003 10:47:29 -0600 (MDT) Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <vuln-dev.list-id.securityfocus.com> List-Post: <mailto:vuln-dev () securityfocus com> List-Help: <mailto:vuln-dev-help () securityfocus com> List-Unsubscribe: <mailto:vuln-dev-unsubscribe () securityfocus com> List-Subscribe: <mailto:vuln-dev-subscribe () securityfocus com> Delivered-To: mailing list vuln-dev () securityfocus com Delivered-To: moderator for vuln-dev () securityfocus com Received: (qmail 4351 invoked from network); 25 Sep 2003 06:32:09 -0000 Message-ID: <3F72E421.7080604 () edelweb fr> Date: Thu, 25 Sep 2003 14:48:33 +0200 From: "Nicolas RUFF (lists)" <ruff.lists () edelweb fr> Organization: EdelWeb User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en, en-us, fr, fr-FR MIME-Version: 1.0 To: Bob Askew <bdaskew () hotmail com>, vuln-dev () securityfocus com Subject: Re: Win32: Using SEH to search memory References: <BAY7-F748R8RhjPtdYd00018857 () hotmail com> In-Reply-To: <BAY7-F748R8RhjPtdYd00018857 () hotmail com> X-Enigmail-Version: 0.75.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Windows XP Exception Handler has new protections, such as : - clearing registers before transferring control to the handler code AND - do not transfer control to a handler code located on the stack Cf . http://std.dkuug.dk/jtc1/sc22/wg21/docs/papers/2003/n1462.pdf If you run your code on a Windows 2000, it should work fine I guess. Regards, - Nicolas RUFF ----------------------------------- Security Consultant EdelWeb (http://www.edelweb.fr/) -----------------------------------I'm trying to search through memory using structured exception handling to avoid crashing when accessing bad memory. Various buffer overflow exploits have used this technique for locating the address of GetProcAdd() or for locating shellcode planted in memory. I have an example written in inline assembly and compiled with Visual Studio on XP. It implements seh and searches through memory just fine. My handler handles the memory access violations. (Example 1 code below) However, if I stick my handler on the stack, then Windows doesn't send the exception to my handler. (Example 2 code below) Does anyone have any suggestions as to what I might be doing wrong? Does Windows care where a handler lives in memory? Can anyone recommend a good reference for implementing seh in shellcode? Example 1: ***************************************** #include<stdio.h> //simple test for SEH with handler void main() { unsigned int cint = 0; __asm{ jmp gethandler start: xor ebx,ebx xor ecx,ecx push dword ptr fs:[ecx] mov dword ptr fs:[ecx],esp search: inc ebx cmp dword ptr[ebx],0x00000000 ;//causes exception //exception cleanup xor ecx,ecx ; mov eax,[ESP] ; // Get pointer to previous record mov FS:[ecx], eax ; // Install previous record add esp, 8 ; //clean handler & fs[0] off stack jmp printit gethandler: call start handler: push ebp mov ebp,esp push ebx mov ebx,[ebp+10h] add ebx,0xa4 inc dword ptr[ebx] ;//increment ebx xor eax,eax pop ebx mov esp,ebp pop ebp ret printit: mov [cint],ebx } printf("Last ebx = %x\n",cint); } Example 2: ***************************************** #include<stdio.h> //simple test for SEH with handler located on stack void main() { unsigned int cint = 0; char unsigned bytes[] = "\xEB\x1B" // jmp gethandler //start: "\x33\xDB" // xor ebx,ebx "\x33\xC9" // xor ecx,ecx "\x64\xFF\x31" // push dword ptr fs:[ecx] "\x64\x89\x21" // mov dword ptr fs:[ecx],esp //search: "\x43" // inc ebx "\x83\x3B\x00" // cmp dword ptr [ebx],0 //SEH cleanup "\x33\xC9" // xor ecx,ecx "\x8B\x04\x24" // mov eax,dword ptr [esp] "\x64\x89\x01" // mov dword ptr fs:[ecx],eax "\x83\xC4\x08" // add esp,8 "\xEB\x1B" // jmp printit //gethandler: "\xE8\xE0\xFF\xFF\xFF" // call start //handler: "\x55" // push ebp "\x8B\xEC" // mov ebp,esp "\x53" // push ebx "\x8B\x5D\x10" // mov ebx,dword ptr [ebp+10h] "\x81\xC3\xA4\x00\x00\x00"//add ebx,0A4h "\xFF\x03" // inc dword ptr [ebx] "\x33\xC0" // xor eax,eax "\x5B" // pop ebx "\x8B\xE5" // mov esp,ebp "\x5D" // pop ebp "\xC3" // ret //printit: (clean exit?) "\xff\xd2"; //jump edx __asm{ lea eax,bytes lea edx,printit jmp eax printit: mov [cint],ebx } printf("Last ebx = %x\n",cint); //probably will never make it here. } _________________________________________________________________ High-speed Internet access as low as $29.95/month (depending on the local service providers in your area). Click here. https://broadband.msn.com
Current thread:
- Win32: Using SEH to search memory Bob Askew (Sep 24)
- Re: Win32: Using SEH to search memory Rodney Thayer (Sep 25)
- Re: Win32: Using SEH to search memory Nicolas RUFF (lists) (Sep 25)
- <Possible follow-ups>
- Re: Win32: Using SEH to search memory dave (Sep 25)